Wireless Packet Capture via Netgear R7800

As introduced in a previous post, I have been using a $199 Netgear R7800 consumer router/AP (running DD-WRT) for performing packet wireless packet captures. Here is a little more detail on the process:

Step 2: SSH to the R7800. Use the iw command to determine which radio has 5 GHz support. First, use “iw phy” to list the details of all physical interfaces. Then, use “iw dev” to list the device to physical interface mappings. On my R7800, phy#0 has 5 GHz support and is represented by device ath0.

Step 3: Put the desired device into monitor mode and set the channel. In this example, I am using ath0 and channel 155 (5745 MHz center of the first channel 149, 80 MHz wide, and 5775 MHz center of the entire 80 MHz channel).

Step 4: Begin the capture. Here, I am saving the capture file to the ramdisk at /tmp. This particular device has only about 400 MB available, so I’m going to only capture for less than 10 seconds. After issuing the command below, press CTRL-Z to stop the capture.

root@DD-WRT:~# tcpdump -i ath0 -n -w /tmp/capture1.pcap

Step 5: Move the capture to a PC for analysis. I could use a flash drive and copy the file that way, but I already have tftp64 running on my PC for some Cisco firmware updates, so I will use tftp. 192.168.44.9 is the IP of my PC.

root@DD-WRT:~# tftp -l /tmp/capture1.pcap -p 192.168.44.9

Note: High data rate captures can become large in a hurry. This 6.3 second capture is about 237 MB in size. A quick look in Wireshark shows most of the frames were transmitted at VHT MCS 7 with 2 spatial streams, 585 Mbps rate.